security/hakurei.app
security/hakurei.app
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity

update CSRF guidance

Browse Source
This commit is contained in:
Daniel Micay 2024-04-01 15:21:25 -04:00
parent 43a33855b0
commit 73481396e8
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
static/build.html
View File

@ -1404,8 +1404,11 @@ rm android-cts-media-1.5.zip</pre>
attribute and <code>Path=/</code>. The <code>HttpOnly</code> and attribute and <code>Path=/</code>. The <code>HttpOnly</code> and
<code>SameSite=Strict</code> flags should also always be included. These kinds <code>SameSite=Strict</code> flags should also always be included. These kinds
of cookies can provide secure login sessions in browsers with fully working of cookies can provide secure login sessions in browsers with fully working
<code>SameSite=Strict</code> support. However, CSRF tokens should still be used <code>SameSite=Strict</code> support.</p>
for the near future in case there are browser issues.</p>
<p>CSRF mitigation should be implemented via enforcing the presence of
Sec-Fetch-Site with the value same-origin. Services using only POST can also do
this via the more backwards compatible Origin header.</p>
<p>For web content, use dashes as user-facing word separators rather than underscores. <p>For web content, use dashes as user-facing word separators rather than underscores.
Page titles should follow the scheme "Page | Directory | Higher-level directory | Page titles should follow the scheme "Page | Directory | Higher-level directory |